Build & QA

CartBay is a private premium WooCommerce plugin. Contributions should preserve WooCommerce-native APIs, HPOS compatibility, Action Scheduler usage, and private licensing behavior.

Requirements

PHP 8.2 (recommended 8.3+) for Composer development alignment.
WordPress and WooCommerce matching the plugin support matrix.
Composer.
Bun (only needed for dev) or Node tooling for WordPress scripts, depending on the local environment.

PHP Commands

composer install
composer phpcs
composer phpstan
composer test
composer plugin-check

composer plugin-check intentionally ignores WordPress.org-only findings for private updater and proprietary license metadata.

JavaScript Commands

bun install
bun run build
bun run i18n:make-pot
bun run i18n:make-json

Run bun run build when changing JS source. Run bun run i18n:make-pot after adding or changing translatable strings.

Coding Standards

Namespace PHP under WPAnchorBay\CartBay\.
Use tabs for PHP indentation.
Sanitize input immediately and escape output late.
Use manage_woocommerce for admin actions.
Use WooCommerce CRUD APIs for order data.
Use Action Scheduler for jobs.
Store tokens as hashes.
Keep frontend assets scoped to their pages.

High-Risk Areas

Treat these as high-risk changes:

Checkout capture.
Restore/cart mutation.
Coupons and subscriptions.
Order matching and recovered revenue.
License enforcement.
Agent write/contact/sensitive/destructive actions.
Data deletion and uninstall behavior.

Verification Checklist

Classic checkout capture works.
Block Checkout consent field renders and submits.
Consent withdrawal deletes active capture and cancels pending work.
Abandonment jobs mark inactive sessions abandoned.
All three email steps send in order.
Restore links rebuild cart and redirect to checkout.
Coupons validate only in the matching recovery flow.
Recovered orders are attributed correctly.
Unsubscribe suppresses future capture/recovery for the email.
Agent endpoints remain disabled by default.
Logs do not expose raw tokens or full license keys.